- From: Brad Hill <hillbrad@fb.com>
- Date: Tue, 18 Nov 2014 01:48:56 +0000
- To: Deian Stefan <deian@cs.stanford.edu>, Ilya Grigorik <ilya@igvita.com>, Anne van Kesteren <annevk@annevk.nl>
- CC: Brian Smith <brian@briansmith.org>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I guess this would count as a meaningful CSP violation. (link rel=stylesheet in header, though haven't looked in to see if it works without also repetitively listing it in the response body content) I thought it might be a case of such, but didn't find documentation for anything other then prefetching in the header version. https://code.google.com/p/chromium/issues/detail?id=58456#c15 On 11/17/14, 4:50 PM, "Deian Stefan" <deian@cs.stanford.edu> wrote: >Brad Hill <hillbrad@fb.com> writes: > >> I wonder a bit how much this actually matters for the guarantees we're >>trying to make for CSP? >> >> If I prefetch something that is later denied to be included / >>transcluded into a page via CSP, have I violated the policy? >> >> Even if we decide to use CSP for confinement (which it presently makes >>no strong guarantees of) is link fetching that happens before the >>instantiation of a resource in the scope of that confinement? >> >> I think an example of an actual vulnerability that we would care about >>addressing would help me reason about this better. > >I think you're right, this is not technically a violation of the >policy. Even in the context of confinement. I think the issue is one >mistakenly assuming that the CSP applies to all fetching vs. it only >applying to all subsequent fetches. > >Deian
Received on Tuesday, 18 November 2014 01:49:44 UTC